Mastodawn

Looks like today's theme is

@cR0w I read this as... don't patch

@kajer @cR0w weird, just about every company I've ever worked for has interpreted it identically.

@rootwyrm @cR0w Someone has to have the voice of corp-tech.

If I can't patch... invalid way to address the problem, because conditions will apply.

If i never patch, then there are no conditions, and we're still running prod! WOO!

@kajer @cR0w most shops, the excuse is "it's stable! We shouldn't patch it might introduce problems."

And that's how your extremely critical Internet facing infrastructure is running Docker containers from 2018 that have been abandoned upstream.

воР0на

@rootwyrm @kajer blows dust off SCADA HMI keyboard for host with more uptime than a lot of fedi users

kajer

@cR0w @rootwyrm DO NOT UNPLUG

if you pull the PS/2 keyboard, the driver will unload and will not reload until next boot, which is

checks notes

never.

@kajer @cR0w fun related fact: I know of a very large institution which runs their own Certificate Authority.

This CA is basically openssl on a fully air-gapped laptop.
That laptop in 2021 was running RHEL4. Because it was *COMPLETELY* airgapped. No network. Only one USB port not filled with epoxy. Kept in a safe.
And this was deemed safe and secure because it was completely and totally airgapped.

@rootwyrm @cR0w that sounds delightfully 90s... but... how does one do cert issues? or verification of the full chain?

I only have questions

воР0на

@kajer @rootwyrm Click Advanced and then Proceed ( unsafe ) like with any good enterprise system.

Logan Fick 2d ago

@cR0w @kajer @rootwyrm It's funny how meaningless full page big red scary "Security Risk Ahead" screens are when there's certificate issues since a lot of users I've seen will just follow these exact steps.

There are domains with HSTS which manage to convince the browser to delete the proceed button, but it's definitely a minority.

ducksauz 🦆2d ago

@kajer @rootwyrm @cR0w

This must have been the internal root CA. I know, because I used to run the internal root at a previous job. The workflow looked like this:

* get root CA from safe
* generate CSR on new issuing CA, copy to new flash drive
* plug flash drive into root CA, issue cert, copy to flash drive
* plug flash drive back into online machine, copy cert to issuing CA
* put root CA back in safe

There was a similar process for issuing the root CA's CRL every month

@ducksauz @kajer @cR0w yep, exactly that! There were actually *multiple* internal Root CAs.
The part that always made me giggle is that incomprehensibly, one of those internal roots was used with *HSMs*.

ducksauz 🦆2d ago

@rootwyrm @kajer @cR0w

HSMs in plural? My root had an HSM card in it (it was a desktop).

Though, I could see maybe having redundant USB attached HSMs and encrypting the root's PrivKey to KEKs stored in each HSM.

@ducksauz @kajer @cR0w HSMs very, VERY, *VERY* plural.

I was not directly involved, but my understanding was that they used the offline root CA as part of the authentication system to ensure they had not somehow wandered off the network.
These kind of HSMs.

@rootwyrm @ducksauz @cR0w $previous_job - We had HSMs in AWS and paid a VERY pretty penny to keep those legacy as fuck machines running until we found something better... (we didnt by the time covid layoff happened)

@kajer @ducksauz @cR0w you really, really have to be an absolute idiot to pay for "cloud" HSMs, honestly. They are INSANELY expensive to say the very least, and it is completely impossible for them to actually be secure.
It just is. PHYSICAL inspection and PHYSICAL tamper indicators are a non-optional part of it.

Meanwhile a Thales Luna 7 hardware HSM at the very tippy top end (max perf, 5 partitions, ent support) costs less than half that.
For 3 years.

@kajer @ducksauz @cR0w and "less than half" is being... generous. I have priced out "cloud" HSMs for certificate services.

$135,000 per year for a miserable enterprise Java Beans "cloud HSM."
The "less secure" version that is just as insecure is still over $75k per year.
Venafi has a nice product. They charge you $100,000 per year to manage it "in the cloud." Not including HSM.

I can literally just whip out a credit card and buy a Luna 7 for $52k. And I actually own it.

@rootwyrm @ducksauz @cR0w not my money, it was a DevOps thing... Until I moved to the SecOps team, then we were tasked with finding HSM solutions to support our hashicorp integrations...

Luckily my SecOps experience was revolving around defending the network from Devops and constantly pulling logs from the F5 and Palo to prove that the latest devops push was to blame for application problems, and not thew FW/LB policy

Dealing with HSMs and FEKs and the like was not what I would consider to be fulfilling work.